The Top 15 Account Names Used For Malicious SSH Login Attempts

As many of you are aware, HexHound recently moved to new hosting. It comes as no surprise that there are bad actors out there with nothing better to do than attempt to compromise the server; what is surprising to me is the frequency of the malicious login attempts, especially considering a warning banner is posted. Thankfully I did harden this server prior to publishing it to the web and the banner doesn’t lie – logging is setup and I do report malicious IPs.

One step I didn’t take while hardening the server is moving SSH to an alternate port. I have several reasons for this –

I don’t believe in security through obscurity.

There are security risks to moving a service to a high port as ports >1023 are not privileged in Linux.

Applications sometimes misbehave when a service is running on an unexpected port.

It is hard to remember the port number.

Nevertheless, I have addressed the situation as the activity I have observed is simply obnoxious. The results below, in some ways, are due to this system functioning as an unintentional honey pot and were largely collected during the period of 2/15/2015-2/24/2015.

Here’s Symantec’s list, with my place numbers listed next to theirs’. I have extended the places to beyond 15 for more insight.

Place

Account Name

Number of Login Attempts

HexHound Place

1

root

1049

1

2

admin

97

34

3

test

87

3

4

guest

40

17

5

mysql

31

59

6

info

30

36

7

oracle

27

8

8

postgres

27

10

9

testing

27

187

10

webmaster

27

166

11

paul

25

12

web

24

85

13

user

23

2

14

tester

22

188

15

pgsql

21

Key Takeaways

Again, it is no surprise that “root” is number one on both lists. Always, ALWAYS disable root login over SSH. If an adversary gets root access, it is gameover as root is the all-powerful user on *nix based systems. Even worse, actions taken by root are often not logged. This is one of the reasons to evoke “sudo” for privilege escalation – all those commands are logged! If possible, logs should be forwarded to another protected server so that even if the target server were compromised, you will know exactly what commands were run.

Default and developer test accounts should also be closely monitored. It is no accident that “user” and “test” (along with every variation you can think of) appear on both lists. While these accounts are not likely to be privileged accounts, gaining access is an important step towards compromise and should be taken seriously. It is also clear that the adversaries are searching for default accounts associated with common services, such as “oracle”, “mysql”, “pgsql”, and “postgres” which are all common databases; my server in particular appears to have a lot of attackers looking for gaming services such as “teamspeak” and “minecraft”. The internet is a dangerous place, be careful!